rule Mirai
{
	meta:
		author = " Kevin Breen <kevin@techanarchy.net>"
		date = "2014/04"
		ref = "http://malwareconfig.com/stats/AAR"
		maltype = "Remote Access Trojan"
		filetype = "exe"

	strings:
		$a1 = "/proc/cpuinfo"
		$a2 = "NewPortMappingDescription"
		$a3 = "[DREAMBOX]"
		$a4 = "Stale NFS file handle"
		$a5 = "Not a XENIX named type file"
		$a6 = "/bin/busybox"
		$a7 = "dreambox"
		$a8 = "GET /bins/"
		$a9 = "\x45\x43\x48\x4f\x44\x4f\x4e\x45"
		$a10 = "/dev/misc/watchdog"
		$a11 = "resolv.conf"
		$a12 = "/var/Challenge"
		$a13 = "7547"
		$a14 = "Too many users"
		$a15 = "Connection refused"
		$a16 = "Remote I/O error"
		$a17 = "POST /cdn-cgi/"
		$a19 = "/dev/null"
		$a20 = "mdebug.abi"
		$a21 = "data.rel.ro"
		$a22 = "PMMV"
		$a23 = "FGDCWNV"
		$a24 = "OMVJGP"

		
		$a25 = "exploit_stage=3"
		$a26 = "ECHOBOT"
		$a27 = "protocol.csp"

		$a28 = "250-Proxy"
		$a29 = "/etc/passwd"
		$a30 = "<td>Source Address</td>"
		$a31 = "connect back IP:PORT"

		$a32 = "185.244.25.217"

	condition:
		2 of them
}